๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
๋ฐ˜์‘ํ˜•

[Dreamhack]WebHacking32

[Dreamhack] Level1: simple-ssti ๐Ÿ›Ž๏ธ Access ์กด์žฌํ•˜์ง€ ์•Š๋Š” ํŽ˜์ด์ง€ ๋ฐฉ๋ฌธ์‹œ 404 ์—๋Ÿฌ๋ฅผ ์ถœ๋ ฅํ•˜๋Š” ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค.SSTI ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค.   ๐Ÿ‘พ Exploit Algorithm & Payload> app.py๋”๋ณด๊ธฐ#!/usr/bin/python3from flask import Flask, request, render_template, render_template_string, make_response, redirect, url_forimport socketapp = Flask(__name__)try: FLAG = open('./flag.txt', 'r').read()except: FLAG = '[**FLAG**]'app.secret_key = F.. 2024. 3. 24.
[Dreamhack] Level1: random-test ๐Ÿ›Ž๏ธ Access์ƒˆ ํ•™๊ธฐ๋ฅผ ๋งž์•„ ๋“œ๋ฆผ์ด์—๊ฒŒ ์‚ฌ๋ฌผํ•จ์ด ๋ฐฐ์ •๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ ๊ธฐ์–ต๋ ฅ์ด ์•ˆ ์ข‹์€ ๋“œ๋ฆผ์ด๋Š” ์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ์™€ ์ž๋ฌผ์‡  ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ชจ๋‘ ์žŠ์–ด๋ฒ„๋ฆฌ๊ณ  ๋ง์•˜์–ด์š”... ๋“œ๋ฆผ์ด๋ฅผ ์œ„ํ•ด ์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ์™€ ์ž๋ฌผ์‡  ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์•Œ์•„๋‚ด ์ฃผ์„ธ์š”!์‚ฌ๋ฌผํ•จ ๋ฒˆํ˜ธ๋Š” ์•ŒํŒŒ๋ฒณ ์†Œ๋ฌธ์ž ํ˜น์€ ์ˆซ์ž๋ฅผ ํฌํ•จํ•˜๋Š” 4์ž๋ฆฌ ๋žœ๋ค ๋ฌธ์ž์—ด์ด๊ณ , ๋น„๋ฐ€๋ฒˆํ˜ธ๋Š” 100 ์ด์ƒ 200 ์ดํ•˜์˜ ๋žœ๋ค ์ •์ˆ˜์ž…๋‹ˆ๋‹ค. ๋‘ ๊ฐ’์„ ๋งž๊ฒŒ ์ž…๋ ฅํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๊ฐ€ ์ถœ๋ ฅ๋ฉ๋‹ˆ๋‹ค. ํ”Œ๋ž˜๊ทธ๋Š” FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค.ํ”Œ๋ž˜๊ทธ ํ˜•์‹์€ DH{...} ์ž…๋‹ˆ๋‹ค.  ๐Ÿ‘พ Exploit Algorithm & Payload> app.py๋”๋ณด๊ธฐ#!/usr/bin/python3from flask import Flask, request, render_templateimport stringimport rand.. 2024. 3. 4.
[Dreamhack] Level1: [wargame.kr] strcmp ๐Ÿ›Ž๏ธ Access if you can bypass the strcmp function, you get the flag. ๐Ÿ‘พ Exploit Algorithm & Payload > view-source ๋”๋ณด๊ธฐ password : view-source #1 : '/' ํŽ˜์ด์ง€์—์„œ password๋ฅผ ์ž…๋ ฅํ•  ์ˆ˜ ์žˆ๋Š” ํผ์ด ์žˆ๊ณ  'chk' ๋ฒ„ํŠผ์„ ๋ˆ„๋ฅด๋ฉด ํŒจ์Šค์›Œ๋“œ๊ฐ€ ํ‹€๋ฆฐ์ง€ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. : '/?view-sourc' ํŽ˜์ด์ง€์—์„œ๋Š” PHP ์›น ํŽ˜์ด์ง€์˜ ์ผ๋ถ€๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. : strcmp ์ทจ์•ฝ์ ์„ ์ด์šฉํ•˜๋ฉด ํ’€๋ฆด ๊ฒƒ์ด๋ผ๋Š” ๊ฒƒ์„ ์œ ์ถ”ํ•  ์ˆ˜ ์žˆ๋‹ค. #2 strcmp(): ๋‘ ๋ฌธ์ž์—ด์ด ๊ฐ™์œผ๋ฉด 0์„, ๊ฐ™์ง€ ์•Š์œผ๋ฉด 0์ด ์•„๋‹Œ ๊ฐ’์„ ๋ฐ˜ํ™˜ strncmp(): ๋‘ ๋ฌธ์ž์—ด์˜ ์›ํ•˜๋Š” ๊ธธ์ด๋งŒํผ ๊ฐ™์œผ๋ฉด 0์„ ๊ฐ™์ง€ ์•Š์œผ๋ฉด 0์ด ์•„๋‹Œ ๊ฐ’์„ .. 2024. 2. 25.
[Dreamhack] Level2: login-1 ๐Ÿ›Ž๏ธ Access python์œผ๋กœ ์ž‘์„ฑ๋œ ๋กœ๊ทธ์ธ ๊ธฐ๋Šฅ์„ ๊ฐ€์ง„ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. "admin" ๊ถŒํ•œ์„ ๊ฐ€์ง„ ์‚ฌ์šฉ์ž๋กœ ๋กœ๊ทธ์ธํ•˜์—ฌ ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ๐Ÿ‘พ Exploit Algorithm & Payload > app.py ๋”๋ณด๊ธฐ #!/usr/bin/python3 from flask import Flask, request, render_template, make_response, redirect, url_for, session, g import sqlite3 import hashlib import os import time, random app = Flask(__name__) app.secret_key = os.urandom(32) DATABASE = "database.db" userLevel = { 0 : 'gu.. 2024. 2. 25.
๋ฐ˜์‘ํ˜•